A watchdog agency report says that the US government and its infrastructure remain vulnerable in at least a thousand ways to cyberattacks Credit Getty Getty The US government has gotten pretty good or at least pretty productive over the past couple of decades at laying out in multiple reports plans strategies and initiatives under multiple presidents what needs to be done to improve the nations cybersecurity including the latest from just a month ago called a Cybersecurity Moonshot But actually getting it done Based on findings of the US Government Accountability Office GAO this past fall not so much According to a report titled Urgent Actions are Needed to Address Cybersecurity Challenges Facing the Nation delivered to Congress this past September of more than 3 000 GAO recommendations to federal agencies since 2010 aimed at addressing cybersecurity shortcomings about 1 000 of them have not been implemented It might be tempting to declare that this means the glass is two-thirds full But in a world where the brutal reality is that cyber attackers need to be right only once to succeed while defenders need to be right all the time a glass that is one-third empty amounts to a gaping security hole And as you might expect the risks of not fixing those vulnerabilities are significant In a guest post for The Hill Gene L Dodaro US comptroller general and head of the GAO wrote that a partial list of those risks includes major blackouts a takedown of electronic communications bank account takeovers identity theft and a stock market collapse that obviously would put the overall economy into a tailspin In a word catastrophic Not to mention that departments and agencies have had close to a decade to address many of them And when it comes to one of 10 action items in the report titled Ensure security of emerging technologies the Internet of Things IoT artificial intelligence AI and cryptocurrency blockchain the numbers are very small but equally troubling The GAO has made only three recommendations specifically focused on emerging technologies and while there has been some agreement and activity on them from the responsible agencies none has been completed including one that the GAO said warrants priority attention from heads of key departments and agencies YOU MAY ALSO LIKE Why only three recommendations for a sector that includes the IoT easily the broadest attack surface for hackers Nick Marinos director of cybersecurity and data promotion issues at GAO said the number of recommendations does not reflect the amount of work that GAO has done to raise concerns regarding the cybersecurity of emerging technologies He said many recommendations in the other nine action areas have connections to emerging technologies For example we have ongoing reviews looking at supply chain cybersecurity issues as well as the impact of 5G on the government and nation he said These have relevance to securing emerging technology area along with other topics And he said he expects the number of recommendations focused on emerging technologies will increase quite substantially in the coming years For now the single priority recommendation which goes back nearly three years to March 2016 focused on vehicle security It called for the Department of Transportation DOT to direct the National Highway Traffic Safety Administration NHTSA to work expeditiously to finish defining and then to document the agencys roles and responsibilities in response to a vehicle cyberattack involving safety-critical systems The response from the DOT later that month agreed with the recommendation and cited a number of things the agency was doing including research opportunities convening a roundtable meeting with automotive stakeholders and reaching a historic agreement with 18 automakers on proactive safety principles All of which could be boiled down to were working on it But not finished with it The current status of the recommendation said that by February 2018 almost two years later the DOT had outlined NHTSAs roles and responsibilities to address cybersecurity incidents that involve automotive safety critical systems under its existing processes and authorities but continues to examine whether these processes will need to be updated In addition NHTSA still needs to document how it will collaborate with other federal agencies and stakeholders in responding to a cyberattack And nothing since then almost another year later Which would be hard to describe as expeditious Same for the other two recommendations although they were not labeled priority these to the Department of Defense DOD in a July 2017 report The first called for the DOD along with the military to conduct operations security surveys that identify IoT security risks and protect DOD information and operations in accordance with DOD guidance or address operations security risks posed by IoT devices through other DOD risk assessments While the DOD agreed with the recommendation the GAO status report said it sought an update from the agency this past August and is still awaiting their response The second called for the DOD and military to review and assess existing departmental security policies and guidance on cybersecurity operations security physical security and information security that may affect IoT devices and identify areas where new DOD policies and guidance may be needed including for specific IoT devices applications or procedures and where existing security policies and guidance can be updated to address IoT security concerns The status of that one DOD agreed with it and has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation Yes it has been said for generations that the wheels of bureaucracy turn slowly but this is a sector where the evolution of the industry and the sophistication and impact of attacks are not moving slowly Indeed a GAO report from this past October found that almost all weapons that the DOD tested between 2012 and 2017 including the F-35 jet and missile systems have mission critical cyber vulnerabilities and can be easily hacked using relatively simple tools and techniques Those weapons and systems are of course part of the IoT All of which points to what security experts have been saying for at least a couple of decades If devices networks and systems are easy to hack it is because the software running them is insecure it has unpatched vulnerabilities So if there is to be any hope of securing the IoT and other emerging technologies one major requirement will be to include building security into software from the beginning to the end of the software development lifecycle SDLC There are plenty of recommendations and suggested best practices already available on how to do that So the current state of security also raises an obvious question Who or what department has the leverage to force agencies to implement recommendations more uh expeditiously Marinos said agencies are required by law to document an action plan to address recommendations from our reports The head of GAO also meets regularly with department and agency heads to discuss the status of open priority recommendations And he added Congress can follow up and take their own any action if an agency fails to follow through That is always possible But given the current focus of Congress best not to hold your breath